package com.sang.lesson03;

import com.sang.lesson02.utils.JdbcUtils;

import java.sql.*;

import static com.sang.lesson02.utils.JdbcUtils.getConnection;

public class SQL注入 {
    public static void main(String[] args) {

        //login("kuangshen","123456")
        //SQL注入
        login("' or '1=1","123456");
    }

    //登录业务
    public static void login(String username,String password){

        Connection conn =null;
        PreparedStatement st = null;
        ResultSet rs =null;

        try {
            conn = getConnection();
            //PreparedStatement防止SQL注入的本质，把传递进来的参数当作字符
            //假设其中存在转义字符，比如说'会被直接转义
            String sql = "select * from users where `NAME`= ? AND `PASSWORD`=?" ;   //Mybatis

            st = conn.prepareStatement(sql);
            st.setString(1,username);
            st.setString(2,password);

            rs = st.executeQuery(); //查询完毕会返回一个结果集
            while (rs.next()){
                System.out.println(rs.getString("NAME"));
            }
            JdbcUtils.release(conn,st,rs);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}
